Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4966)

2021-01-2009:19:36

www.ibm.com

ibm

security identity governance

samesite attribute

vulnerability

cve-2020-4966

release

igi

fix

security

EPSS

0.001

Percentile

32.5%

JSON

Summary

IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerability. The vulnerability concerns the fact that the cookies set by the IBM Security Identity Governance and Intelligence application are missing the SameSite attribute.

Vulnerability Details

CVEID:CVE-2020-4966
**DESCRIPTION:**IBM Security Identity Governance Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192423 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)